Information security tips and tricks for both home and business users

Music, Martial Arts, and Information Security

I’ve played piano since I was ten years old. My teacher, Mrs. Keys (no joke, that was her name) put a beginner’s book on the piano in front of me, opened it up to the first lesson, and taught me how to find middle C. Not long after that, she picked up one of those yellow Schirmer books with page after page of scales, arpeggios, and repetitive exercises.

I’m a little older now, arguably a little wiser, and I finally decided to begin studying martial arts. My boys had been studying Kung Fu for years with a Sifu (teacher) at a local school, so I donned my gi and started showing up to the adult classes. The very first thing that Sifu Max did with his new adult class of white belts was to teach all the basic kicks, punches, and stances that would serve as the foundation for the years of teaching ahead of us.

Somewhere between becoming a musician and becoming a martial artist, I threw my hat in the InfoSec ring. I spent quite a few years helping to secure the information systems of a very large public utility here in the Midwest. After that, I moved on to an international luxury retail, helping them secure the systems (and processes) that enable them to process millions (billions?) of dollars in credit card transactions each year.

And how in the world, you might ask, did my knowledge of public utilities translate to luxury retail? The answer, my dear Watson, is elementary: fundamentals.

Are we analyzing the InfoSec risks (confidentiality, integrity, availability) to the business?

How are we measuring and prioritizing that risk?

Policy Management

Do we have documented policies, procedures, and standards so that our workforce knows what’s expected of them?

Security Organization Management

What’s our InfoSec team look like?

Who does what?

Asset Management

What the heck are we securing anyway?

Can we track it?

HR Security Management

Are we teaching our workforce how to securely use their computers?

Do they know our policies?

Do they know what social engineering is?

Physical Security Management

What are we doing to physically protect our information systems?

Security Operations Management

What does our InfoSec team do on a daily basis?

Can we see what’s happening in our environment?

Access Management

How are we controlling access to our systems?

Are we operating under principle of least privilege?

Is every ID in our access system appropriately restricted?

Information Security Systems Management

Are our systems and apps configured with security in mind?

Security Incident Management

In the event that something bad happens, does everyone know what to do?

Business Continuity Management

In the event of a disaster (i.e., potential business-ending event), can we keep our doors open and our systems online?

Do we have a documented plan?

Compliance Management

What laws and regulations do we need to comply with?

Are we complying?

These questions are short, sweet, and to the point, but the answers will paint a pretty clear picture of where the obvious gaps are. Closing those gaps means significantly reducing the likelihood that someone will be able to exploit them.

The same principles that apply to music and martial arts apply to InfoSec. If your fundamentals are weak, then everything (and I mean EVERYTHING) you attempt to build on those fundamentals is equally weak.

If you want a solid information security program, then you need to start with (or get back to) the fundamentals.